openssh management
openssh client and server management
Manages:
- files:
- /etc/ssh/sshd_config
- /etc/ssh/ssh_config
- On RHEL 8 file /etc/sysconfig/sshd is also managed
- packages:
- client package (if not included in server package)
- server package
class { 'openssh::client': }
class { 'openssh::server': }global variable eypopensshserver::hardening to enable/disable default hardening (default: false)
class { 'openssh': }
class { 'openssh::server': }
class { 'openssh::client': }
openssh::privkey { 'postgres':
homedir => '/var/lib/pgsql',
}openssh::match{'chroot':
groups => [ 'sftp' ],
forcecommand => 'internal-sftp',
chrootdirectory => '%h',
}openssh::denyuser { 'loluser': }
openssh::denyuser { 'loluser2': }
openssh::allowuser { 'allowuser5': }
openssh::allowuser { 'allowuser6': }class { 'openssh::server':
denyusers => [ 'loluser3', 'loluser4' ],
allowusers => [ 'root', 'ggg', 'kk', 'rrr' ],
enableldapsshkeys => false,
}openssh::match{ 'users ips allowed':
users => [ 'ada', 'ualoc' ],
allowed_ips => [ '1.2.3.4', '5.6.7.8', '1.1.1.1' ],
}This will generate the following config in sshd_config:
Match user ada,ualoc
AllowTcpForwarding no
AllowUsers [email protected]
AllowUsers [email protected]
AllowUsers [email protected]
AllowUsers [email protected]
AllowUsers [email protected]
AllowUsers [email protected]
- eypopensshserver::hardening: to manage default hardening of Cyphers and MACs (default: false)
empty class - just a placeholder
Most variables are standard postfix variables, please refer to postfix documentation for further detaisl:
- gssapi_authentication: (default: true)
Most variables are standard postfix variables, please refer to ssh documentation for further detaisl:
- ensure: service's ensure (default: running)
- manage_service (default: true)
- manage_docker_service (default: true)
- enable (default: true)
- port: (default: 22)
- permitrootlogin: (default: no)
- usedns (default: false)
- usepam (default: true)
- x11forwarding (default: false)
- passwordauth (default: true)
- permitemptypasswords (default: false)
- enableldapsshkeys (default: false)
- syslogfacility
- banner (default: undef)
- clientaliveinterval (default: 900)
- clientalivecountmax (default: 0)
- log_level (default: INFO)
- ignore_rhosts (default: true)
- hostbased_authentication (default: false)
- maxauthtries (default: 4)
- permit_user_environment (default: false)
- allowusers: (order: DenyUsers, AllowUsers, default: undef)
- denyusers: (order: DenyUsers, AllowUsers, default: undef)
- x11uselocalhost (default: false)
private class to manage openssh::server's service
- username (default: resource's name)
- username (default: resource's name)
- matchers (at least one must be set):
- groups (default: undef)
- users (default: undef)
- addresses (default: undef)
- hosts (default: undef)
- chrootdirectory: It might not be supported (default: undef)
- forcecommand: (default: undef)
- allow_tcp_forwarding (default: false)
- allowed_ips: list of allowed IPs for this user (default: undef)
- ensure (default: present)
- user = $name,
- group = $name,
- homedir = "/home/${name}",
- type (default: rsa)
- passphrase (default: '')
Tested on:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 14.04
- Ubuntu 16.04
- SLES 11 SP3
We are pushing to have acceptance testing in place, so any new feature should have some tests to check both presence and absence of any feature
- Move openssh::server configuration options to the openssh::server namespace, for example:
- openssh::denyuser -> openssh::server::denyuser
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request